WHMCS Global Services - hacked and doing nothing about it

[bear]

37 minutes ago, wp4all said:

@bear in other community Post it was possible to delete just the link and not the whole Post ?

Yes. As mentioned, each community handles moderation in their own way. The mods here removed the first thread, for reasons only they know. With the new thread, perhaps they felt the information was possible to convey without including the actual leaked data. Mods move in mysterious ways here. 😉

Quote

Rarely never read such a contradiction. 
...
What could be closer to the customer than bringing the information here?

Not sure how it's a contradiction as far as closed vs removed from view. Closing a thread leaves it visible but removes the ability to respond to it.
If you're referring to the last line, I'd agree. The *type* of information is another matter. Letting users of that 3rd party company know is absolutely something they should do. Allowing the inclusion of leaked info that could damage not only that company further but lead to additional hacks of those that had used them is not. They're not responsible for the addons/templates that WGS sold, but letting folks know there's a problem I'd say is proper. 

[Kian]

1 hour ago, wp4all said:

WHMCS has a damn duty to inform its customers about possible damage.

I Agree totally that no one can  desire that WHMCS has to proof every single Theme, Module or Addon but you have the duty to inform your customers about possible damages even more if you know about them.😉

I respectfully disagree.

It's pretentious to say that it's their duty. Why should they inform customers of WGS hack and not for *Insert any random and unknown developers listed on Marketplace*? Why should they officially make any statement about this issue? Just to receive hundreds of tickets of angry people asking WHMCS to support them? It's up to WGS.

2 hours ago, WHMCS John said:

we state in our FAQs that we do not monitor, review or provide any assurances about the quality of code contained within any add-ons or extensions and that installation and use of modules obtained via the Marketplace is done so at the users own risk. 

Just this.

[wp4all]

20 minutes ago, Kian said:

It's pretentious to say that it's their duty. Why should they inform customers of WGS hack and not for *Insert any random and unknown developers listed on Marketplace*? Why should they officially make any statement about this issue? Just to receive hundreds of tickets of angry people asking WHMCS to support them? It's up to WGS.

really ?

Which children do you really think we are ? 

Why to hell should I open an ticket if an Software Provider inform me listen if you use an addon of *Insert any random and unknown developers listed on Marketplace* please be informed that we recognized there is an potential hack.

With reference to the Guideline and maybe also some tips ?

I know in some countries, customer service is a mystery but I would wish that a Company which sells a software which I entrust my customer data, reputation and money ( and here we have the responsibility) have 5 min time to write a statement.

We would point out again following information :

- bäääm....

- bäääm.....

- bäääm...... 

- over & out 

I would say wow thanks to get in mind that some of this addons on this Marketplace are developed by others an be carefully and use it on you own risk.
 But deleting Posts (or locked for the public) giving silence and than just write a standard  phrase we are not in charge of any addons on the Marketplace is everything else but certainly no service on the customer.

And @Kian  I'm not the only one with this opinion truly not, if I would count all the pots that could be found by an simple *enter your favorite Search engine* search about the hack, you would possibly change your opinion as well (maybe who knows)

Just say listening to the Frog 😉

My last 2ct to this post.

 

a proverb from germany says : in some hops and malt is lost. cheers

Christian

 

[bear]

1 hour ago, wp4all said:

I know in some countries, customer service is a mystery but I would wish that a Company which sells a software which I entrust my customer data, reputation and money ( and here we have the responsibility) have 5 min time to write a statement.

WHMCS did *not* sell you those plugins. You bought those from WGS, and that's who needs to be held accountable. WHMCS lists them in the marketplace as a convenience, not a partner or supplier of them. 

[Kian]

34 minutes ago, wp4all said:

Which children do you really think we are ?  

Why to hell should I open an ticket if an Software Provider inform me listen if you use an addon of *Insert any random and unknown developers listed on Marketplace* please be informed that we recognized there is an potential hack. 

Because some people (not you, not me) open ticket without even thinking. I regularly see people submitting tickets to company A for products/services sold by company B and I'm not talking about the end-user with no knowledge and awareness. I'm talking about owners of pretty big companies. It's not that they're stupid or childish. It's just that they panic. If only the 2% of all WHMCS customers would act this way, imagine the load of tickets to manage.

I don't see Microsoft, Google, Apple, Wordpress, PHP (...) pointing out vulnerabilities of third parties apps, softwares and libraries. I don't see Hosting Providers sending emails to their customers about vulnerable plugins in their installations of Joomla, Wordpress, Drupal, Typo3 etc. They have other duties such as keep servers online and secure, publish news, bring new products, improve the quality of their services and so on.

1 hour ago, wp4all said:

I'm not the only one with this opinion truly not, if I would count all the pots that could be found by an simple *enter your favorite Search engine* search about the hack, you would possibly change your opinion as well (maybe who knows)

Frankly I'll never understand this tendency to put the blame elsewhere when things go wrong. Don't get me wrong, I understand your frustration but the fact that many people share your opinion and think that WHMCS should do something about it doesn't change anything.

Is there any contract or law that forces Microsoft, WHMCS, Magento to inform their customers about vulnerabilities caused by others? Of course not. As if it wasn't enough WHMCS is saying and repeating everywhere that they don't give a damn about third-party modules.

[Remitur]

On 10/3/2018 at 12:05 PM, wp4all said:

Rarely never read such a contradiction. This is a community for the WHMCS community WGS offers 3th party modules for just this software. What could be closer to the customer than bringing the information here?

Just my two cents:

• that "whm" in WHMCS resembles the cpanel's WHM interface.
  So, historically, WHMCS is strictly bound to cPanel, in its own name too.
  This is a short report about cpanel vulnerability statistics: https://www.cvedetails.com/product/3023/Cpanel-Cpanel.html?vendor_id=1766
  And daily dozen of cPanel servers are violated.
  Is maybe WHMCS responsible of that?
   
• I don't use any module from "whmcs global services", so I'm not sure about this... but, as I understood, it's not their modules which were violated: the hacker violated their systems, got their customers data, and the hacker is saying that thei module are not secure and he's able to hack any WHMCS install which uses thei modules... but no proof of it, right?
  So, we only know that "whmcs global service" was hacked (bad thing but... * happens!) but have no proof that "whmcs global service" software is weak.

By the way: as I understood, few customers executed a script sent by email by the hacker, and this script deleted the "whmcs global service" modules... isn't it?
If it's so, I can't imagine a more stupid thing to do than blinding executing a script received in such a way... 😕

  

•  

[WHMCS John]

Hi all,

We've taken the decision to temporarily remove WGS' listings from the Marketplace and have reached out to them. We expect to restore listings once we can be confident in the safety for our users.

[bullten]

1 minute ago, WHMCS John said:

Hi all,

We've taken the decision to temporarily remove WGS' listings from the Marketplace and have reached out to them. We expect to restore listings once we can be confident in the safety for our users.

Atleast some care about its user. I agree WGS is a third party but its listing is being done on WHMCS market place. Also WHMCS needs to think what measures can be done to protect its users from third party addon hacks. We are in a business where we need some sort of development side protection. Cant do server management and software development all in one place.

[tap0le]

7 hours ago, Remitur said:

Just my two cents:

• that "whm" in WHMCS resembles the cpanel's WHM interface.
  So, historically, WHMCS is strictly bound to cPanel, in its own name too.
  This is a short report about cpanel vulnerability statistics: https://www.cvedetails.com/product/3023/Cpanel-Cpanel.html?vendor_id=1766
  And daily dozen of cPanel servers are violated.
  Is maybe WHMCS responsible of that?
   
• I don't use any module from "whmcs global services", so I'm not sure about this... but, as I understood, it's not their modules which were violated: the hacker violated their systems, got their customers data, and the hacker is saying that thei module are not secure and he's able to hack any WHMCS install which uses thei modules... but no proof of it, right?
  So, we only know that "whmcs global service" was hacked (bad thing but... * happens!) but have no proof that "whmcs global service" software is weak.

By the way: as I understood, few customers executed a script sent by email by the hacker, and this script deleted the "whmcs global service" modules... isn't it?
If it's so, I can't imagine a more stupid thing to do than blinding executing a script received in such a way... 😕

  

•  

There was proof of it. That's what is contained in the pastes that were removed. It was proof and additionally instructions on how to take advantage of the vulnerabilities. (they only showed one module, and threatened to show the other vulnerabilities if WGS didn't fix them)

5 minutes ago, WHMCS John said:

Hi all,

We've taken the decision to temporarily remove WGS' listings from the Marketplace and have reached out to them. We expect to restore listings once we can be confident in the safety for our users.

Thank you. It's much appreciated!

[Kian]

40 minutes ago, bullten said:

Also WHMCS needs to think what measures can be done to protect its users from third party addon hacks. We are in a business where we need some sort of development side protection. Cant do server management and software development all in one place.

It's virtually impossible. Notice that I very rarely use this word. I myself had my dose of hell that brought me to "waste" days coding things that play with checksums. This is not something that can be done "externally" by WHMCS. Sadly it's part of the game.

[adamjedgar]

I am not a programmer, however, as a relatively inexperienced client of WHMCS, I purchase this software and use third party addons almost exclusively because i find them via WHMCS main website. To me that means i can be rest assured they are safe to use.

If my fledgling system and business got exposed before i get off the ground...I am destroyed before i even get started. that is a heartbreaking thought and fear. I have spend many hundreds of hours over the last 12 months researching, learning, testing, failing, cursing and crying over issues related to server management and now ecommerce platforms such as WHMCS. 

 

I am deeply worried to even read threads like this...it has me thinking that i need to change platforms to something else like Hostbill before everything i have put blood, sweat and tears into over the last year, blows up in my face.

 

I appreciate, that its a difficult road for whmcs in providing the market website as a place for third party addons, but in all honesty, if one chooses to provide the opportunity for third party developers to put up addons for sale there, then one takes on the responsibility for third party f$#%ups and must be ahead of the game. I am surprised at how long it appears to have taken for WHMCS to decide to take down this vendor...it should have been immediately upon learning of the hack, not after anarchy arises from the community. 

If under the circumstances WHMCS doesnt have the staff to monitor such addons, then might i suggest they develop a financial strategy for filling that need (ie charge third party developers a fee for listing to facilitate employing a software engineer or two who can check). 

 

I really am enjoying the WHMCS product btw and am thankful for there particularly good support to me. My comments above are from fear, not loathing.

 

Edited October 8, 2018 by adamjedgar

[brian!]

Hi Adam,

11 hours ago, adamjedgar said:

I am not a programmer, however, as a relatively inexperienced client of WHMCS, I purchase this software and use third party addons almost exclusively because i find them via WHMCS main website. To me that means i can be rest assured they are safe to use.

I hope you now realise that your assumption is not necessarily correct... Marketplace is nothing more than an internet version of a shop window with postcard adverts in it...

they aren't verified or guaranteed addons, or even checked in any way by WHMCS - and they clearly state that - you buy addons from there at your own risk, in the same way that Google isn't responsible if you used it to find whmcs.com and buy a license for the core WHMCS software.

11 hours ago, adamjedgar said:

I am deeply worried to even read threads like this...it has me thinking that i need to change platforms to something else like Hostbill before everything i have put blood, sweat and tears into over the last year, blows up in my face.

there are no 100% safe solutions - if such a beast existed, we'd all be migrating over to it!

11 hours ago, adamjedgar said:

I appreciate, that its a difficult road for whmcs in providing the market website as a place for third party addons, but in all honesty, if one chooses to provide the opportunity for third party developers to put up addons for sale there, then one takes on the responsibility for third party f$#%ups and must be ahead of the game.

they may have a responsibility to remove listings from their Marketplace site if they know, or reasonably suspect, that there may be a serious security issue with the products in question, but I don't see their responsibility going far beyond that.

13 hours ago, adamjedgar said:

If under the circumstances WHMCS doesn't have the staff to monitor such addons, then might i suggest they develop a financial strategy for filling that need (ie charge third party developers a fee for listing to facilitate employing a software engineer or two who can check). 

that will simply never happen... i'm not even going to add any caveats to that statement, it simply won't.

many years ago (I think Marketplace had just replaced the old abandoned App Store), a respected developer contacted me about this with regards to collaborating on doing what you suggest (e.g verifying addons coding etc) and long story short, it would be an absolute nightmare to do.

for one thing, third-party developers would have to submit unencoded versions of their addons - which would require the creation of a Chinese wall between the developers checking the addon code and those working on the core WHMCS product (if WHMCS were going to do this)... crucially, in order to prevent the third-party developer from submitting a 'clean' version of the addon for assessment, but selling another 'dodgy' version directly themselves, you would have to bring sales (or at least downloads) under the exclusive control of WHMCS... how many developers are going to want to do that? if there's an addon assessment/listing fee, that's going to be an inflated cost passed on to the end-user and would smaller developers want/afford to do that ??

I could go on as i'm only touching the tip of the iceberg with the above example issues - there are a hell of a lot more problems, including some potential legal ones, having examined it closely.

remember that there is nothing to stop anyone from creating an addon that does two things (e.g firstly what it's meant to, and then something else nefarious in the background) and adding it to Marketplace - if the nefarious task isn't spotted by users, then who's going to know... WHMCS only immediate concern would be whether the listing is following the rules, not what the addon is potentially doing.

so as with everything else in business, i'm afraid that it's caveat emptor - read the reviews (try to ignore the fake ones!); see how long the developers have been around; what other products they offer etc - but ultimately, WHMCS is not vouching for anything bought via links in Marketplace... and I doubt they ever will.

[adamjedgar]

if that reflects the philosophy of whmcs then i clearly am with the wrong business and using the wrong product.

Edited October 10, 2018 by adamjedgar

[yggdrasil]

I said this years ago when the auto update feature on WHMCS was first announced. Its an horrible idea for a software that provides billing and sensitive data (logins). This is not WordPress. Let me put like this. The auto update feature from WHMCS and their marketplace is a security disaster waiting to happen and that will be the end of WHMCS as a company because they don't exactly have a great history on protecting their own servers and services. I cannot imagine once a malicious actor gets access to one part of WHMCS and starts to push malicious code into hosting/service provider companies (or all WHMCS customers...). This post is just one example of how this can happens every day with software companies.

Let me say this one more time. WHMCS stores billing information and servers logins/passwords + customers information. It's a highly sensitive software and the companies that use them also store data that is gold for hackers. ANY REMOTE CODE pulling from a remote server IS A HORRIBLE IDEA in terms of security. On top of that, WHMCS thinks that security by obscurity (ioncube) will protect its software instead of letting more developers and companies access the code and report them potential bugs, security issues or even help with patches.

This is why no big cloud vendor will ever use WHMCS either. You cannot even audit the code as its obfuscated.

[brian!]

5 hours ago, adamjedgar said:

if that reflects the philosophy of whmcs then i clearly am with the wrong business and using the wrong product.

for the avoidance of any doubt - I don't work for WHMCS and am not speaking on their behalf... it's merely a personal opinion based on nearly 6 years dealing with them, how they operate and having taken a closer look at this issue years ago.

[yggdrasil]

7 hours ago, adamjedgar said:

if that reflects the philosophy of whmcs then i clearly am with the wrong business and using the wrong product.

WHMCS is not responsible for the modules  from third party developers. How could they? They didn't wrote that code and secondly, most developers sadly just like WHMCS also encode their modules, so even if WHMCS wanted to review the code or scan it for vulnerabilities, they can't.

This is no different when a customer buys a hosting service, installs 10 garbage scripts, one wordpress, one joomla with 100 plugins and never updates anything. Then 2 years later blames the hosting company that his website was compromised. How can the hosting company be responsible if they are giving the customer completely and total free access to install anything they want? Answer, they are not responsible for the websites security, just for the server.

Same deal. You can install WHMCS addons/plugins/modules from anywhere, WHMCS just provides a centralized way to advertise them for developers. The addons are not even hosted by WHMCS. You buy them or download them directly from the developers site. This is like trying to blame Microsoft if your computers gets hacked because you downloaded pirated software from torrent networks. Again. Its your computer. Same with WHMCS. Its your server, you can install anything on it, bad or good.

This is also why I think the marketplace is a bad ideas a well. WHMCS charges directly for those services, but I'm very sure they are not going to be responsible for those services either. That is a slippery slope as they are basically reselling those services and charging directly. So if that was the case, you could make WHMCS responsible since there was a money exchange, you are making business with them. As for the addons, you are not. WHMCS is not charging you or anyone to download or buy those addons. The relationship is not with WHMCS but directly with the developer. Hence WHMCS can't be responsible.

The best the community can do, is post bad reviews and inform others that the modules are compromised or have a security hole. The short lesson with ANY software, not just the one you install on your server but also on any computer device. You should only trust or buy software from a person you trust. This is why I don't buy encoded software either, WHMCS was my last encoded script actually. I would never buy an encoded module from a developer for the simple reason I don't trust him/her and I can't see what the code does on my server. Everyone else should take the same precautions. Would you eat a sandwich  found on the street or that a stranger is giving you? No. Same here. Why would you run un-trusted code in your server. You don't. Software listed on the marketplace for WHMCS should still not be trusted, its just a page to promote third party developers. You should still make your proper research. It does not mean its vetted or certified by WHMCS the company.

To quickly answer your question. If you care about security, then yes, WHMCS is probably the wrong product. Why? Because you cannot see what the code does. WHMCS can slip what ever they want in some future into your servers and you would never be aware. For example, if the hacked addons from that company had open code, and a company blocked or removed the update servers (like for example you can do with Chrome plugins by editing the manifest file), those companies would have prevented the hack. Why? Because the auto updates would had failed and the attacker would be spotted assuming the company then informed its customers properly to not update the software. But since WHMCS is encoded, and most developers (but not all, some are already correctly offering open code version of their modules) you just have to trust WHMCS and the developers with their word and what the code does. This is why open source is so popular on the enterprise. Modifications and security can only be achieved if you can edit the code to fit your organization purposes.

Edited October 10, 2018 by yggdrasil

[bullten]

Well I love when someone tried to give examples to explain something. Someone on top said that if android phone gets hacked by apps provided on google store then how google can be responsible for it. Well you don't read news properly google do remove the  apps if they find breaking its community or creating threat to it. Google/Apple have a team now to check and monitor. So the example was baseless.

Second someone said its impossible to verify codes. By the way I have personally seen developers whom you give code they will take on 15-30 minutes to understand its functioning. Its how you understand logic but mostly developers lacks logic and only knows the particular coding as google is now their friend. Everything is copied from google and coding is done that way now. Dont mind when truth is being said. Well there wasn't google, there wasn't Facebook, there wasn't Windows. Everything was made based on demand,services expectation. The time has come to act to it. Bring something new that different community is not offering. Atleast try it as WHMCS is earning so much, partnered with cpanel they have everything to invest into it. But why would someone do it we need maximum profit. We want to show we have n numbers of modules in our marketplace so people gets attracted and purchase a whmcs license. This is how things are done.

Certainly I don't think anyone can protect code 100% but we can protect it to a certain level. Recent hack of WGS shows basic filtering were missing lol.

Rules ,t&c etc changes based on time. WHMCS changed their pricing module, now they have different pricing slabs based on active clients. The community members blindly supports WHMCS so much that someday a company like WHMCS will come into market and start offering a better service and security and that will be a game changer. Recent competition to WHMCS doesn't fits much but who knows, wait guys time changes trust me. Today you have WHMCS someday you will have someone else if you provide something which market needs. I sincerely follow how nokia was on top and they were no where in market because they failed to upgrade their system.

https://www.linkedin.com/pulse/nokia-ceo-ended-his-speech-saying-we-didnt-do-anything-rahul-gupta/

Between I am a frog and I will jump out of hot water 🙂

[yggdrasil]

1 hour ago, bullten said:

Well I love when someone tried to give examples to explain something. Someone on top said that if android phone gets hacked by apps provided on google store then how google can be responsible for it. Well you don't read news properly google do remove the  apps if they find breaking its community or creating threat to it. Google/Apple have a team now to check and monitor. So the example was baseless.

Second someone said its impossible to verify codes. By the way I have personally seen developers whom you give code they will take on 15-30 minutes to understand its functioning. Its how you understand logic but mostly developers lacks logic and only knows the particular coding as google is now their friend. Everything is copied from google and coding is done that way now. Dont mind when truth is being said. Well there wasn't google, there wasn't Facebook, there wasn't Windows. Everything was made based on demand,services expectation. The time has come to act to it. Bring something new that different community is not offering. Atleast try it as WHMCS is earning so much, partnered with cpanel they have everything to invest into it. But why would someone do it we need maximum profit. We want to show we have n numbers of modules in our marketplace so people gets attracted and purchase a whmcs license. This is how things are done.

Certainly I don't think anyone can protect code 100% but we can protect it to a certain level. Recent hack of WGS shows basic filtering were missing lol.

Rules ,t&c etc changes based on time. WHMCS changed their pricing module, now they have different pricing slabs based on active clients. The community members blindly supports WHMCS so much that someday a company like WHMCS will come into market and start offering a better service and security and that will be a game changer. Recent competition to WHMCS doesn't fits much but who knows, wait guys time changes trust me. Today you have WHMCS someday you will have someone else if you provide something which market needs. I sincerely follow how nokia was on top and they were no where in market because they failed to upgrade their system.

https://www.linkedin.com/pulse/nokia-ceo-ended-his-speech-saying-we-didnt-do-anything-rahul-gupta/

Between I am a frog and I will jump out of hot water 🙂

Google does scan the PlayStore for malicious apps, but they didn’t initially for years. So does Apple now. And those are automated scans, you don’t think a person checks the code manually which would be impossible for even a few apps in terms of human costs. Even so, you will be surprised that Google does not caught most malicious apps. Most of the ones they remove are done once some security researcher or another person reports them to Google, so the scan has little effect. With the PlayStore or iOS the same principles I mentioned before apply. Check the developer for trust. For example, if you install a Chinese keyboard, you have no idea if the keyboard is now sending all your passwords back to a server in China. In fact, the developer could even bypass Google saying the keyboard only transfers feedback data which is not even a violation of the PlayStore policies. This is in fact how many malware apps are hosted on the PlayStore. It’s a normal app and eventually after a few months or even a year they push an update with something malicious.

Same story for Chrome extensions. Do you think because they are on the Google Store they are secure? No. A lot of extension developers are approached by people offering them money to sell their popular extensions. The reason? The malware author then pushes a rough update back to browsers, an extension that is very popular and innocent now is malicious.

You are also wrong on that WHMCS can check the code. Google does have access to the Android apps, they are not obfuscated. And if they are, Google can’t do anything except reject them. WHMCS and most addons are encoded with IonCube. Open a WHMCS file in your text editor or PHP editor and its nothing but scrambled text, there is no code to be read. That is the whole idea of IonCube, to protect the source code. So even WHMCS can’t know what the code does by looking at it. I don’t agree with this and no serious developer tends to do this either, its highly controversial just like putting DRM on games which causes more issues than problems it solves. Security by obscurity does not work, neither it prevents piracy.

cPanel code is open but nothing will guarantee you either than some extension or module for cPanel is not malicious. Again, use common sense and just don’t run software from people you do not trust.

Now, if you read my other posts, I’m not entirely happy with how WHMCS is running their show. I would be 100% happy, even with all the bugs if the code was open like cPanel. But I will defend them here. There is nothing really, they can do to protect users from malicious addons, except maybe remove them from the market store.

If you disagree, please tell us what WHMCS should exactly do. Suggestions are always welcome.

Edited October 10, 2018 by yggdrasil

[brian!]

1 hour ago, bullten said:

Well I love when someone tried to give examples to explain something.

yeah - it's the crazy world of forums where there is often little point in using an analogy as someone will come along and pick holes with it.

1 hour ago, bullten said:

Second someone said its impossible to verify codes.

didn't he add "virtually" before it ? that word makes all the difference compared to your misrepresentation of what was said.

it's entirely possible for WHMCS to insist on checking the code of products in Marketplace from tomorrow onwards - developers can then either agree to it or have their listings removed... but it's simply not going to happen.

I might be wrong, but I wouldn't see not being listed in Marketplace as a big deal anyway - and if that's so, and WHMCS start putting severe conditions/costs on listings, then developers will simply move to another marketplace.

I dread to think of the bottleneck of developers patiently waiting for their code to be checked after a surprise WHMCS update release, whilst all their clients have already updated WHMCS and are complaining about their existing modules not working.

I get the idea of modules being safe to use, I really do - but all I can see are the issues that would need to be overcome and there are just too many of them for anyone to serious consider doing it - especially with the current state of WHMCS.

19 minutes ago, yggdrasil said:

If you disagree, please tell us what WHMCS should exactly do. Suggestions are always welcome. 

an excellent point - we need to keep this thread on-topic, otherwise TPTB will use it as an excuse to close the thread.

[bullten]

Well I already posted in starting. Whenever is module is generated at some cost whmcs should verify its security to a certain level then encrypted or as per module developer whatever he wants and released. Atleast a common security measures have to be followed. We have a sensitive business. If we gets hacked data gets leaked or deleted then client may sue us. If they sue us we sue the other company. So better to be secured than being late.

Regarding your google analysis. You have anyone in google? Well I have and I know how their market actually works. So arguing on their store doesn't looks authenticate to me.

The way people are defending these things will say someday when WHMC actually gets hacked that WHMCS didnt develop PHP why should they take responsibility lol.

We need to look for betterment not follow legacy policies.

[yggdrasil]

8 minutes ago, bullten said:

Well I already posted in starting. Whenever is module is generated at some cost whmcs should verify its security to a certain level then encrypted or as per module developer whatever he wants and released. Atleast a common security measures have to be followed. We have a sensitive business. If we gets hacked data gets leaked or deleted then client may sue us. If they sue us we sue the other company. So better to be secured than being late.

Regarding your google analysis. You have anyone in google? Well I have and I know how their market actually works. So arguing on their store doesn't looks authenticate to me.

The way people are defending these things will say someday when WHMC actually gets hacked that WHMCS didnt develop PHP why should they take responsibility lol.

We need to look for betterment not follow legacy policies.

Who is going to pay for that? You the customer? If WHMCS has to vet the code from third party developers, would you be willing to pay, lets say $1000 per module instead of the $100 a developer asks now? Because I assume your vetting has to be done by a developer which charges per hour, so he has to check all the code and test it first. And also include the same procedures for every update that is made afterwards. It would be nonsense for someone to look the modules if they don't understand programming...

Do you seriously expect WHMCS to do this for free? Do you check all the files your customers upload to your hosting servers? I suspect you don't. Same story. If I buy a hosting from your company, will you guarantee my website will never get hacked regardless of what I upload and do? I think we know the answer to that. Its impossible for you to verify everything a customers uploads, just like its impossible for WHMCS to verify each single module. Modules are just that, a bunch of files with code and together its called software. The modules are not even hosted on whmcs.com, but on the developers websites. You are not buying anything here. You are redirect to the developers site to buy the module. At that point WHMCS is not responsible anymore. They are only responsible for the official modules they provide or are shipped with WHMCS. That means modules developed by WHMCS the company.

Edited October 10, 2018 by yggdrasil

[bullten]

Again I say to some level. Even there is no guarantee WHMCS cannot be hacked. Someday you will see someone like localhost.re born and hack WHMCS and the owner matt write am email to take up a flight and meet him any part of the world. That was the best email leaked by localhost.re. They are real hackers the never destroy data personally as per what I see. What bad about hacking is when script kiddies gets tools to hack and they do whatever they want. Price have to be decided by someone and that will not go to 1000$ eventually for following basic guidelines. I still tell you I have seen coders who will understand your code in 15-30 minutes where another coder may take days.

Edited October 10, 2018 by bullten

[yggdrasil]

6 minutes ago, bullten said:

Again I say to some level. Even there is no guarantee WHMCS cannot be hacked. Someday you will see someone like localhost.re born and hack WHMCS and the owner matt wrote am email to take up a flight and meet him any part of the world. That was the best email leaked by localhost.re. They are real hackers the never destroy data personally as per what I see. What bad about hacking is when they get tools to hack and they do whatever they want. Price have to be decided by someone and that will not go to 1000$ eventually for following basic guidelines. I still tell you I have seen coders who will understand your code in 15-30 minutes where another coder may take days.

Can you name me one? Just ONE single software that cannot be hacked? Just one. Please. All softwares have security bugs, all of them. Anyone that tells you otherwise is a liar or knows nothing about computers.

You know coders that can look any code and understand it in 30 minutes? Are you serious here or joking? Please tell me where I can meet NEO from Matrix. Are you saying that if I give him 5 million lines of code to check they will know and understand everything in 30 minutes? What do those brilliant minds for a living? Maybe I should hire them and destroy Microsoft and Google in a week.

And to answer your question, nobody can give you a guarantee WHMCS will not be hacked some day. Nobody. This is why you have to take your own security measures and mitigation policies in case that happens one day.

Edited October 10, 2018 by yggdrasil

[bullten]

Read replies man before posting when I said anything cannot be hacked. I am saying basic security measures have to be followed. What whmcs module is of 5 million lines please send me man I am desperate to look into it. I never knew a module have that lines actually exist. The way you take your business is a must separated than what I think. Your thinking will change when you start thinking practically not technically 🙂

Enough of argument I am in already a list for alternatives. Have a nice a day good lucky to you 🙂

Edited October 10, 2018 by bullten

[bear]

14 minutes ago, yggdrasil said:

You know coders that can look any code and understand it in 30 minutes? Are you serious here or joking? Please tell me where I can meet NEO from Matrix. Are you saying that if I give him 5 million lines of code to check they will know and understand everything in 30 minutes?

I'd say that's a bit much, the 5 million lines, but I know a guy that's incredibly good with it, and was eventually hired by Yahoo to manage databases and the queries that ran them. He'd have to configure a change to a live system to fit what they wanted, and was given a downtime window of something like 10 seconds to restart and it *had* to work. He once looked at a script for me that was roughly a hundred lines, and read through it once and knew the fix I needed, which he got right immediately, and wrote it on the fly.
They exist.